The present application relates to data security, and particularly, to a method and an apparatus for generating a security token carrier. At present, there are more and more Internet applications, such as online games, e-commerce and so on. Malicious behaviors including stealing user accounts and virtual properties are also becoming rampant and put users' various virtual properties at risk. In order to protect virtual properties of authorized users, user identities are checked by verifying login passwords of users when the users attempt to log into a system. But verification of login password is not enough to authenticate a user because the login password verification may be easily cracked through brutal guessing attempts, or through intercepting keyboard signals or through obtaining screenshots of the user and so on. One common method that is relatively secure in terms of protection of authorized users involves setting for a user multiple dedicated tokens and verifying one or more tokens besides the password verification to prove the user is authorized. Currently carrier of a token (also referred to as security token carrier) is often called a security token card.